From 60feedab223cc7adee7eb56d13ae4e7f301ae9f1 Mon Sep 17 00:00:00 2001 From: Archana Polampalli Date: Wed, 2 Apr 2025 11:45:32 +0000 Subject: [PATCH] go: fix CVE-2025-22870 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. (From OE-Core rev: 88e79f915137edc5a37a110abdc79f5800404e45) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.22.12.inc | 1 + .../go/go/CVE-2025-22870.patch | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2025-22870.patch diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index 05aa3a95b6..df77794506 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc @@ -14,5 +14,6 @@ SRC_URI += "\ file://0007-exec.go-filter-out-build-specific-paths-from-linker-.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ + file://CVE-2025-22870.patch \ " SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" diff --git a/meta/recipes-devtools/go/go/CVE-2025-22870.patch b/meta/recipes-devtools/go/go/CVE-2025-22870.patch new file mode 100644 index 0000000000..6ed394c8e5 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-22870.patch @@ -0,0 +1,80 @@ +From 25177ecde0922c50753c043579d17828b7ee88e7 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 26 Feb 2025 16:08:57 -0800 +Subject: [PATCH] all: updated vendored x/net with security fix + +0b6d719 [internal-branch.go1.23-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts + +Fixes CVE-2025-22870 +For #71985 + +Change-Id: Ib72c96bd0ab44d9ed2ac1428e0a9fc245464b3fc +Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2141 +Commit-Queue: Damien Neil +Reviewed-by: Roland Shoemaker +Reviewed-by: Neal Patel +Reviewed-on: https://go-review.googlesource.com/c/go/+/654695 +Reviewed-by: Damien Neil +Reviewed-by: Michael Pratt +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Junyang Shao + +CVE: CVE-2025-22870 + +Upstream-Status: Backport [https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7] + +Signed-off-by: Archana Polampalli +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 3d4c99e..ffaa16c 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -33,6 +33,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#71985) 1.23.7 contains unreleased changes from vendored modules") + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +index c3bd9a1..864961c 100644 +--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go ++++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go +@@ -14,6 +14,7 @@ import ( + "errors" + "fmt" + "net" ++ "net/netip" + "net/url" + "os" + "strings" +@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool { + if host == "localhost" { + return false + } +- ip := net.ParseIP(host) +- if ip != nil { ++ nip, err := netip.ParseAddr(host) ++ var ip net.IP ++ if err == nil { ++ ip = net.IP(nip.AsSlice()) + if ip.IsLoopback() { + return false + } +@@ -363,6 +366,9 @@ type domainMatch struct { + } + + func (m domainMatch) match(host, port string, ip net.IP) bool { ++ if ip != nil { ++ return false ++ } + if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { + return m.port == "" || m.port == port + } +-- +2.40.0